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[57] ABSTRACT 

There is disclosed a system and method for dispensing 
postage (or other graphical security indicia) electronically 
by using a portable processor containing a maximum 
amount of pieauthorized postage which can be ^lied to 
any piece of mail. The portable processor can be refilled at 
various locations through the use of a dosed-loop system 
which relies upon a database of users who are preregistered 
in the database. Eadi transaction, whether cheddng postage 
indida for validity or refilling the portable processors, relies 
upon information pertaining to the registered user of the 
processor matching Ae information in the database. Ttiis 
system allows for the validation of a graphical security 
indida at a location detached from the creator of the 
graphical indicia. 
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"E-Stomp"- Post N Mail. Inc. 

Software instollotion & screen prompts. 
1. Insert disk 1 in drive. 
201 2. Select Run...from Hie Menu in Progrom Monoger 

3. Type b:\setup ond click O.K. (substitute b for correct drive) 

4. Follow instructions on screen. 



Screen 1. 
203- 




Screen 5 
211^ 



t. Connect TMU holder to your Serial port. 2.lnsert TMU button in holder. 
3.Switch ON your printer, check poper, 
4.Prepare the following information: Full name ond address of owner, 
EIN # (if orgonizolion). Social Security | (if individual) 
Zip code 5+4. telephone and Fox § 
^"^^■^^ Proceed ^ 



I 



llegol terms, conditions and Licensing ogreement. 
2.Acceptonce of above by clicking Proceed, p^^^^^ 




1. Display of "E-STAMP^ seriol § ond TMU seriol § (non-occessible) 
2.Enter owner informotion 



T 



Proceed 




WARNING.: Verify obove informotion. 
LAST CHANCE 



I 



Proceed 





1. Please ensure printer is ON LINE 
2.The obove informotion will be printed in triplicote 
3.Sign ond moil two copies to Post N Moil, retoin one copy 
4.A registration cord wilt be moiled to you to occess TMU refilling stolions 

Proceed 

i — 



INSTALLATION PROCEEDING 
Now copying files... % completed 
Insert diskette jff 2 



Proceed 



I 



INSTALWTION PROCEEDING 
Now copying files... % completed 
Instollotion completed 



FIG. 2 
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Staiio. Or. Suite I 505^''^""' f°« (713)699-0101 

Houston. Tx 77030-1512 



31 



If 000000001 
1000000001 



^T,M.U. Button Serial 
■j2^E-Slomp Serial 

Registered user: 
individual Solim G. Koro 
J, Orgonizotion GlotKil Impex. Inc. 
Address: 505 Cypress Station Or 

Suite 1505 
City: Houstor* Stote: Tx 



"E-Stamp"™ - Registration form 

Date: April 20, 1994 



Time: 01:29 AM 



} 



33 



Telephone: (713)583-8909 Fox: (713)699-0101 



Sociol Security § 636-18-0137 
Employer I.N. § 76-0422781 



Zipcode+4: 77090-1612 



Post N Mail License Agreement 

This is a tegol agreement between you (on individuol or on entity), the end user, and 
Post N Moil, Inc. If you do not agree to the ternns of this Agreement, promptly return 
the disk package and accompanying items (including oil hardware, written materials ond 
binders or other contoiners) to the place you obtained them for o full refund. 
License 

1, Grant of License. 

2. Term of License. 
3- Copyright. 

4. Other restrictions. 

5. Limited warranty. 

6. Customer remedies. 

7. No Other Warranties. 

8. No Liability for Consequential Domoges. 

308 

^ ^ 

Signature 

FIG. 3A 
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"^^H PostageMaker ■io™ 






Log in the Moster button 


1 Create o New Postage Button 


Log In an Agent button 


Add Postage to a Used Button 


Create on Agent Button 


Attempt to Repair a Damaged Button 




Exit PostageMaker 



FIG, 4A 





Enter master password tiere: 








1 Unlock 


1 
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Enter agent password here: 








i Unlock 





FIG. 4C 







p Owner infftrmnfjftn 




Agent RegistroHon ID: |l 

Agent Rrst Nome: | | 
Agent Lost Name: | 




- Password for new button 


Agent Access PIN: | 
Confirm Agent Access | 




OK Cancel 


FIG. 4D 
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j Agent Button Registrotions ; 



r Owner Information 



Agent Registration ID: |AG1 234567 



Agent firsi Name: | John 



Agcni Last Name: | Smith 



r Password tor new button 



Agent Access PIN: j 



Confirm Agent Access | 



OK 



Concel 



FIG. 4E 





/T\ Place new Agent Meter In first sl( 
\V [ENTER] when ready. 


E)t on Om 
|0K| 


3 Wire Bus so we can format it. Hit 



FIG. 4F 











® 


Agent has been regis 

iLOKj 


lered on the button. 



FIG. 4G 
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/T\ Place new Postoge Meter In first 
\V [ENTER] when ready. 


slot on One Wire Bus so we can formot H. Itit 

1 OK J 
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RECEIPT 



RECEIPT NO: 



AG7654321 



POSTAGE BUTTON REFILL SERVICES 
TRANSACTION: 

AUTHORIZATION CODE: MAI 234567 

POSTAGE BUTTON: 

SERIAL NO: 0800101000EO 



FIG. 41 



TRANSACTION DATE: 5/25/95 
TRANSACTION TYPE: INITIALIZE 
TRANSACTION AMOUNT: 



2.0O 



OWNER: 
OWNER ZIP CODE 
TRANSACTION COUNTER 
REMAINING CREDIT BALANCE 



00 



2.00 



5/25 



Add Postoge 1o o Button i 



r Button information 

Button Seriol No.: 0800101000EO 
PNM Registration No.: 

Lost Access On: 05/25/95 
Remaining Balance: $2.00 



Name: 
Zip Code: 
Expires On: 08/23/95 



-Add Postoge 



Current Balance: $2.00 
TronsQction Balance: 





100 







-Button Refill Information 



Refill Date: 05/25/95 
Site ID: 000001 

Refill Balance: 



Refill Time: 12:37 PM 
Worlcstatlon 1" 



OK 



J Accept ~| 



Re-Enter 



Concel 



FIG, 4J 
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^^^Button Seriol No.;l0800101000E0 INomeilPQuI Alto^^M 



ggPNM Registrotion No.; ===^ ^^^^ ZIp Code;i77026-42 17^^ 
^Lost Access On: §05/25/95^^^^ Expires a-=ap /o»/ac 



g^^Remoining Bolonce:|$2.00 




FIG. 4K 



p Button information 1 

Button Serial No.: 08001 01 OOOEO Nome: 
PNM Registration No.: Zip Code: 

Lost Access On: 05/25/95 Expires On: 08/23/95 

Remaining Bolonce: $2.00 

pAdd Postoge^ — 1 

Current Bolonce: $2.00 

Tronsoction Balance: I 100 



-Button Refill Informotlon 

Refill Dote: 05/25/95 Refill Time: 12:37 Plyl 

Site ID: 000001 WorlcstQtion 1" 

Refill Balance: $102.00 



OK 






Accept 






Re-Enter 




Concel 



FIG. 4L 
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Add Postage Comfirmotion I 



Do you want to odd $100 to button? 





OK 






Cancel 



FIG. 4M 





(J^ The desired omoo 


nt wos 

OK 
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AG7554321 



POSTAGE BUTTON REFILL SERVICES 
TRANSACTION: 

AUTHORIZATION CODE: MAI 234567 



POSTAGE BUnON: 

SERIAL NO: 



080010100GEO 



5/25 



TRANSACTION DATE: 5/25/95 
TRANSACTION TYPE: CREDIT 
TRANSACTION AMOUNT: 



IGO.OO 



OWNER 
OWNER ZIP CODE 
TRANSACTION COUNTER: 
REMAINING CREDIT BALANCE 



01 



102.00 



FIG. 40 
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INTERNAL BUTTON CREDIT PROCESS 
SOQ-S rCREDfT) 
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508- 



UPOATE REFILL BALANCE. 

STRIKE COUNTER AND 
TRANSACTION HISTORY LOG 



509 



FIG. 5A 
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602 



NO 



VALIDATE TRANSACTION BUFFER 




UPDATE METER BALANCE. 
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CREATE DEBIT SECURITY PACKET 
AND SEND TO HOST FOR USE 
IN PRINTING POSTAL INDICIA 



611 



ERROR: NO 
TRANSACTION 




605 



ERROR 
NO VALID 
TRANSACTION 



lON^ 



< ERROR: \ 
AMOUNT I 
INVALID J 
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FIG, 5B 
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POSTAGEMAKER BUHON VALIDATION 




FIG. 10A 



12/18/2002, EAST Version: 1.03.0002 



UJS. Patent Jul. 7, 1998 sheet 18 of 23 



5,778,076 



1019- 
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CONNECT 
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1008 



CONNECT 
TO MASTER 
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1016^ 



DEMAND 
AGENT 
PASSWORD 



DEMAND 
MASTER 
PASSWORD 



IF AUTHORITY LEVEL 
2: AGENT BUHON 
INITIALIZE 
OPERATIONS 

"7 
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1018- 



IF AUTHORITY LEVEL 
1: POSTAGE BUnON 
INITIAUZE. REFILL OR 
REPAIR OPERATIONS 




SET AUTHORITY LEVEL 
2 FOR MASTER AND 
LEVEL 1 FOR AGENT 
AND MASTER BOTH 



FIG. 10B 
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POSTAGEMAKER BUHON 
REFILL PROCESS 



POSTAGEMAKER BUTTON 
INITIALIZATION PROCESS 



1030 



POSTAGE BUnON 
REFILL CREDITS 



D 



1040 





POSTAGE BUTTON 
INITIALIZE 



D 



ACCEPT INPUT 
1032^ FOR AMOUNT TO 
BE CREDITED TO 
POSTAGE BUnON 



1033- 



COiylMANO: 
(HOST TO BUTTON) 
CREDIT WITH AMOUNT 



ERROR: 
BUnON NON- 
RESPONSIVE 






1043 



COMMAND: 
(HOST TO BUnON) 
INITIALIZE FOR 
POSTAGE USE 



1034 



1035 





YES 




1036 







DISPLAY RESULTS 
AND PRINTOUT 
A CUSTOMER 
RECEIPT 





ERROR: 
BUnON NON 
RESPONSIVE 



IO37XJNO 

FIG. IOC 





YES 




1046 







'DISPLAY RESULTS 
AND PRINTOUT 
A CUSTOMER 
RECEIPT 



1047 



FIG. 1 0D 
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POSTAGEMAKER BUTTON 
REPAIR PROCESS 
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COMMAND: (HOST TO 
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ERROR: 
BUTTON NON 
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YES 
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DISPLAY RESULTS 
OF OPERATION 
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FIG. 10E 



POSTAGEMAKER AGENT 
INITIALIZATION PROCESS 
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BLOCK DIAGRAM OF MEMORY LAYOUT FOR PREFERRED 
EMBODIMENT OF PORTABLE POSTAGE PROCESSOR 



3k BYTES NON- 


-VOLATILE STATIC RAM 


CREATION DATE/TIME 


CURRENT BALANCE 


CREATING AGENT ID 


STRIKE COUNTER 


BUnON TYPE: (POSTAGE) 


BALANCE BEFORE LAST REFILL 


PASSWORD 


LAST REFILL DATE 


USER REGISTRATION ID 


LAST REFILL AMOUNT 


USER NAME 


LAST REFILL AGENT ID 


USER ADDRESS 


LAST REFILL POSTAL LOCATION ID 


USER STATE 


LAST REFILL STATION NUMBER 


USER ZIP 


TRANSACTION LOG 


USER PHONE 


EVENT LOG 


USER FAX 


ENCRYPTION KEYS 



FIG. 12 1201 



BLOCK DIAGRAM OF MEMORY LAYOUT FOR PREFERRED EMBODIMENT OF 
PORTABLE SECURITY DEVICE PROCESSOR FOR AGENT AND MASTER 



3k BYTES NON-VOLATILE STATIC RAM 


CREATION OATEAIME 
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CREATING MASTER ID 
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BUnON TYPE: (AGNT OR MSTR) 


ENCRYPTION KEYS 


PASSWORD 




AGENT REGISTRATION 10 
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FIG. 13 1301 
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SYSTEM AND METHOD FOR Thus, in acWition to the monthly rent the servicing and 

CONTROLLING THE DISPENSING OF AN replenishing of the meter requires the time and expense of at 

AUTHENTICATING INDICIA ^^ast one employee to take the meter to the U.S. Post Office 

to have it replenished. Of course, this procedure results in 

REFERENCE TO RELATED APPUCAnONS 5 down-time wherein the postage meter is not available to the 

„ . . . - business for the application of postage to outgoing mail. In 

The present ^phcadon is a contmuation-in-part of U.S. addition, because of the monthly rent and the size of these 

plication Ser No Oi^^ 22, im now ^^^^^^ ^^^^^ businesses to have 

U.S. Pat No. 5,606 J07, and entitled * System and Method j^^^ than one postage meter to alleviate this down-time, 

for Storing. Retrieving and Automatically Printing Postage La^^jy ^^^^ ^ ^^thing inherent in the postal meter system 

on Mail," which in turn is a continuation-in-part of U.S. which inhibits fraud. 

appli^on, Sa No 08/176J16 ftled Jan. 3. 1994 now ^ previously mentioned, the alternative to a business. 

US. Pat No. 5 5 10^2. and cndUed "System and Method ^ ^ , ^^^^^ j advantages of a 

for AutonumcaUy Ptinting Postage on Mafl." ^ ^ ,^ buy sheets, or books, ofstonips. 

TECHNICAL FIELD OF THE INVENTION " » « °« ^ ^^"^^'^ Since a 

vanety or denonunations of stamps are generally reqmrea 

This invention relates in general to a portable postage applying two 290 stanq>s to a letter requiring only 40^. will 

stcxagc device that can be coupled to processor-based host begin to add up over time. Additionally, it is difficult for a 

systems to receive and retrieve an amount of authorized business to keep track of stamp inventories and stan^ are 

postage and to enable the printing of an authenticating 20 subject to pilferage and degeneration from faulty handling, 

indicia. More particulariy, flie invention relates to a system Moreover, increases in the postal rate (which seem to occur 

and method under the control of a computer for automati- every three years) and the requirement for variable amounts 

cally establishing an indicia that can be used to authenticate of postage for international mail, makes the purchase of 

a postage or siinilar transaction. stamps even more inefficient and uneconomical, 

25 Because of dififerent postage zones, different classes of 

BACKGROUND OF THE INVENTION mail, diffeieot postage required by international maU and the 

Prescndy, it is common for individuals or businesses to f maintaining within an office, it is 

have residing within their offices a postage meter rented 'f^'}'^ ^/!^ an automate postage system, sudi as the 

from a commercial business such as!for example, Pitney 3^ af^^^ntioned meffiaent and relatively expensive postage 

Bowes. This anangement Is very convenient, since letters •° 

may be addressed, postage appUed. and mailed diiectiy from Accordmgly. there is a need in the art for a system and 

die office without requiring an employee to physlcaUy visit provides the automatic placement of postage on 

the U.S. Post Office and wait in line in order to apply postage ™^ ^ locations other dian a U.S. Post Office, while not 

to what is often a quite significant volume of outgoing mail, requiring the use of a traditional postage meter, 

or to manually apply stamps to each piece of mall. One major problem with any system in which a portable 

Quite naturaUy, postage meters were developed to relieve ^"^^''"^ ^ controlling available values in a 

the manual application ^ stamps on mail andio automate ^on^P^^^r system, such as the mount of postage availabe to 

the above process. Neverthd^, a postage meter residing %"f^^ maintenance of stna controls on the ^mng- 

within an office is not as convenient^mdT^ffident as it may 40 t^'T'^'^^'^^^nTlf T.^^ 

ftrstseemtobc.First,apostagemctermaynotbepurchased the abiUty to create an audit trad and the ability to withstand 

but must be rented. The rental fees alone arc typically over "Muthonzed usage. 

twenty dollars per month. For a smaU business, ttiis can be P^^^^"^ based system witfi a 

quite an expense to incur year after year. Second, a postage portable fffocessa- to store postage is diat the system should 

meter must be adjusted, serviced and replenished manually; 45 optiinaUy intrface with a us^ friencUy operati^^ 

e.g., each day tfie date must be adjusted manuaUy, pcriodi- '^"'^ ^ ^^^^^ ^ '^^P^^^ ^ P«>grams 

caUy the stamp pad must be re-infced, and when the amount ^ ^ processing or gr^hics f^ogram. 

of postage programmed within the postage meter has Itisaprimary object of this invention to provide a system 

expired, the postage in the meter must be replenished. To be method to dispense postage in a secure manner so that 

replenished, a postage meter must be manually unplugged, 50 ^ authenticated on a piece-by-picce basis. 

placed into a special case (the meter is of a signiiicant It is a further object of this invention to provide a system 

weight), and an employee must visit a U.S. Post Office to method which allows for die external authentication of 

have the meter repiogrammed with additional postage. Upon printed indicia from information obtained from the material 

arrival at the U.S. Post Office, a teller nuist cut the seal, "Poi which the indicia has been attached. 

replenish die meter with a desired amount of postage, and 55 Another object of the invention is to use a printed indicia 

reseal the m^er before reniming it to die en^oyee. The based upon infonnadon contained in a portable processor 

meter must then be returned to the office and powered up. which will provide management informatioa via the indicia 

A slightly more expensive meter (rental of ^proximately to the authenticating agency, such as a post office. 

$30.00 more) works in the following manner: 1) a user sets Another object of the invention is to provide a system and 

up an account with the meter owner, such as Pitney Bowes. 60 niethod whereby various configurations of postage indicia 

2) 7 to 10 days before a user requires more postage, the user ^ input into the portable memory device, 

deposits with the meter owner the amount of postage It is a further object of the invention to provide a system 

required, 3) the user then calls the owner (7 to 10 days later) and method whereby the user can select from several 

and they issue instructions as to the manual pushing of a configurations of postage indicia which the user desires to 

variety of buttons on the meter (programming) which will 65 print on an item of mail. 

replenish the postage amount on the meter. Nonetheless, the It is a still further object of the invention to provide a 

meter must be taken to the Post Office every 6 months. system and mediod whereby a user can iix^>ort personalized. 
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or customized, postage indicia graj^cs into the interface spondence. This cofrespoodence can then be placed in 

program which allows a CPU to read a pomble processor envelopes with cutouts or glassine paper at the ^>propriate 

device. areas so that the address* return address and/or meter stamp 

It is a still further object of the invention to be secured can be visualized throu^ the envelc^. 
from outside attempts at reverse engineering, not only for ^ In another prefened embodiment of the present invention, 

the protection of the portable processor as a trade secret but the aforementioned portable processors arc specially manu* 

so that flie integrity of credits it dispenses is never in doubt factured by Dallas Semiconductor fa- use in conjunction 

with programs. Le., unique serial numl>ers spedhc to the 

SUMMARY OF THE INVENTION program are embedded within each portable processor but- 

These and other objects and advantages are present toiu These serial numbers are then recorded in a user 

wherein a portable device is constructed with a memory and registration database for use by the Post Office and the 

having a processor controlling that memory. The device is POSTAGESCAN Software to scan and verify letters. Thus* 

arranged to communicate with a PC in order to exchange a fcsm of security is provided since only the portable 

instructions therewith. processors specially manufactured for use with the 

The pOTtable processor device has on board certain secu- E-STAMP program are able to receive or retrieve data 

rity related fields, such as the date and time, the balance. pertaining to postage amounts, as i^viously described, 

random number generators, number of transactions that have Additionally, a special user-defined password shall be 

taken place on the device, and the serial number of the dedicated for use with the program so that access is only 

device. It also has on board when the user initializes the provided to users entering the correct password. The afore- 
device, information about the owna: of the device including ^ mentioned serial numbers and passwords may. in addition to 

his/her name, the registration number and other information protecting agahst unauthorized use. also allow a user and 

about the owner such as Ae user*s address and password Postal authority to track postage used by every company. 

When the device is used and a transaction is about to be department, employee, etc. Furthermore, other software 
debited from the device, the information about the l^'ograms may also be configured to access the control 
transaction, such as the debit amount and other transaction FOgram so that spreadsheets and/or graphs may be pro- 
information that is postage related, such as the addressee's *^"ccd providing statistics on postage use within a business. 
ZIP code, the addresser* s ttp code, the recipients address Furthermore, the control program can be used to encode 
and name, the mail class, etc. These are all uploaded to the * variety of information within tiie postage indida using bar 
device from die PC. The processor stores them in memory. ^ c<x^ symbol technology. Such information would be 
then it takes all of diese packets of information, the security machine readable and can be used to identify postal indicia 
information, the owner information and die transaction forgeries, in combination with the established control data- 
information and encrypts them into a packet, using its own active system users. 

key which is on board the device (it is not given externally). In an alternative embodiment of the present invention, the 

Once the debit has taken place, the device gives data back system is arranged to automatically calculate the correct 

to the PC in encrypted form The PC then takes that postage to place on a letter, parcel or label as a function of 

information and packages it into an indicia in the form of a the class, zone and weight of tiie particular item to be 

portable data file so diat that encrypted infomation can then mailed One embodiment of the present invention includes 

be authenticated by the authenticating agency after it has a balance coupled to the host processor-based system so that 
been delivered along with a document If the <^ject is not to ^ mail can be placed on the balance and die weight of the mail 

print the indida but to audienticatc a transaction that is being automatically entered into the system for calculating the 

transmitted electronically, then the packet is used for veri- correct postage for that mail. 

fication of the electronic data. Typically, the verification When the portable processor memory is refilled, the 

occurs at a point remote from any coimection to the PC or recorded transaction information can be analyzed either 

to the PC user. from the perspective of management infonnation or to tiy to 

In yet another preforred embodiment of the present detect fraud. This allows for authentication of verification at 

invention, die display screen coupled to the processor-based ^ point remote (bodi physically and electronically) from the 

system employs a "Windows** type display for interfacing usa and remote from the PC and even remote fr'om die 

with the user. Through the display screen, the program will portable processor. 

request a password from the user and the amount of postage It is one technical advantage of this invention that the 

the user wishes to apply to a piece of outgoing mail or most vital security-related pieces of the system are per- 

corresponding label for subsequent application to a package formed on board the portable processor so that it is not very 

or envelope. The user will enter the desired amount of easily tan4>cred with. 

postage; the [vogram wiU retrieve this postage stored within is another technical advantage of this invention that the 

the portable processor, and the B-STAMP program will print portable postage devices are easily transported from one 

postage indida through a coupled printing device onto the standard oon^Hiter to another. 

outgoing mail or label K is another technical advantage of this invention that the 

In still yet aiK>dicr fveferred embodiment of the present portable postage storage devices are durable, long lasting 

invention, the prog^dm may be coupled to a word processing and economical. One method of accon^lishing this is to use 
program resicting within the processor-based system As a 6o a portable processor with a hardened case, not allowing 

result, the application of the postage indicia noay be made in direct contact with the processor. In this way, die code which 

conjunction with the word processing program, which has defines the personalizing of the processor remains secret and 

the capability to print envelopes, separately or in conjunc- cannot be disassembled, 

tion witti the j^ting of a corresponding letter produced by n is anotiier feature of this invention to provide a system 
die word processing jffogram. 65 and mediod diat as transactions take place die portable 

Furthermore, the system may also be programmed to print memory records information about each transaction and 

the address, return address and postage indicia on cone- maintains a log of the most recent transactions. 
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Id one embodiment, it is a technical advantage of the DETAILED DESCRIPTION OF THE 

invention that it presents an entire system and method for INVEI^ON 
diq>ensin8 postage electronicaUy using a portable processor 

and refiUing of the portable processor through the use of a . j . j j - j * -lu i 5/ * 

secure crJt server'^ the tiansfoni^on^ a co^^^ 5 dispcQsmg device dcscnbcd in 

tion of credits and infonnation about the portable processor ^ <^Plf* ^ processor-based system at both the 

user into a graphical security interface, sudi as a printed customer s site and at the postal autfionty or an authorized 

postage indicia, entitling the user to obtain an official ^^^t Throughout die remainder of this description, rcfcr- 

transaction at a point detached from botfi the processor and ence is made to the U.S. Post Office, postal authority cr its 

the user (such as the sending of a parcel in die mail system). agents. Note, however, that the present invention may be 

The foregoing has outlined rathfflMoadly the features and in^lemented within any country and with respect to any 

tedmical advantages of the present invention in order that postal system or with respect to any data packet which is 

the detailed description of the invention that follows may be being examined by a validating authority detached* both 

better understood. Additional features and advantages of the physically and electronicaUy, from its source, 

invention will be described hereinafter which form die The present invention will allow an individual to purchase 

subject of the claims of the invention. It should be appre- a desired amount of postage at an authorized agent of the 

dated by those skilled in the art diat the conception and the U.S. Post Office, sudi postage bcdng stored within a portable 

specific embodiment disclosed may be readily utilized as a postage dispensing device, which itself is a portable proces- 

basis for modifying or designing other structures for carry- sor. The user may then invoke a host processor-based system 

ing out die same purposes of the present invention. It should ^ to access and retrieve a portion of the stored amount of 

also be realized by those skilled in the art that such equiva- postage via a program stored on the host processor-based 

lent constructions do not depart from the spirit and scc^ of system, such program hereinafter referred to as the 

the invention as set forth in the appended claims. "E-STAMP®" progranL The E-STAMF™ program requests 

BRIEF DESCRIFnON OF THE DRAWINGS 'T''^*^' *f ^ t^l^ TJ?"^ 

the addressee s address, etc. The E-STAMP program utihzes 

For a more complete understanding of the present ^ ^^c information diat was entered to calculate the amount of 

invention, and the advantages thereof, reference is now desired postage for an item to be mailed and prints a meter 

made to the foUowing descriptions taken in oonjuncUon with jtanq), indida, on an envelope, labd or letter through a 

the accompanying drawings, in which: printer or special pwpose label maker coupled to the host 

FIG. lA illustrates a host processor-based system for processor-based system- 
implementation of die presem invention; ^ jijg portable postage dispensing device can also be 

FIG. IB illustrates several embodiments of the postage coupled to a host processor-based system located at the 

stOTage device; audiorizcd U.S. Post Office Agent Particular post office sites 

FIG. 2 illustrates an embodiment of user instructions and and authorized agents will have installed a system compli- 
scrccn prompts utilized by the present invention to interface mentary to (he software system installed on die customer*s 
with a user when installing the program on the processor- PC. The program installed at the U.S. Post Office, herein- 
based system for implementation of the present invention; after referred to as the POSTAGEMAKER™ will allow an 

FIG. 3A illustrates one embodiment of a user registration authorized agent to interface the portable postage dispensing 

form; device with the host processor-based system residing at the 

FIG. 3B illustrates a postal or verification indida; 40 authorized refilling agent in order to replenish the amount of 

FIG. 3C illustrates an encoded user registration form; postage programmed within the portable posUge diq)ensing 

FIGS, 4A-4F illustrate display screens utilized by the <icvice in an amount requested and purchased by the cus- 

present invention to interface with a postal authority tomer. 

employee when replenishing postage widiin the present Rcfcning to FIG. lA, there is illustrated a proccssor- 

inventioo; 45 based system (10) utilized for implementing the present 

FIGS. 5A and SB illustrate flow diagrams of the replen- invention. ^)ccdficaUy die aforementioned E-STAMP and 

ishing and debiting processes; POCTAGEMAKER programs. System 10 includes chassis 

FIG. 6 illustrates a prcfcircd embodiment of the security " '"''1'''^°?^^'^? .'^'..^ and <Ksk drive 14. 

tedmiques utilized widiin die present invention; CPU 12 is display 13, keyboard IS and mouse 

FIG. 7 illustrates a flow diagram of the operation of the « ^^f^^; system 10 is adapted for cocpUng with a 

- r , . postage storage device 18, such as the preferred embodiment 

present mvention witiun a host processor-based syst«n; ^^^^ ^^^^^^ ^ ^ 

nOS. 8 and 8A lUustralc a display interface provided to 3,^^^ .^^^^ ^ pi^ ^ p 

a user when accessing the present invention on a host ^ ,^ processor-based system 10 through 

processor-based system; ^ ^^^^ ^^.^^ 1^ 

RG. 9 lUustrates an envelope used to display die postage Th^ p^^j^ ^^^^ dispensing device may be any 

mdiaa prmted on a letter; securablc. intelligent device having some residual data 

FIGS. lOA-lOF illustrate how die master, agent and capability, where that device can provide suffident security 

postage buttons are vaUdated; measures to efficiently limit access to tfic memory and 

FIG. 11 illustrates the architecture for the preferred ^ executable code of the device to audicrized users. Intelli- 

embodiment of the portable processor; gence is defined as having a CPU or other processor and 

FIG. 12 illustrates how a postage button is encoded; memoiy built into the portable processes device. 

FIG. 13 illustrates how an agent or master button is The preferred embodiment portable processor button 

encoded; and 182, incotporates a small disk having a memory and CPU. 

FIG. 14 shows the interrelationship of the database for 65 Portable processor button 182 is a small, light-weight 

registering memories assigned to users and the use of the portable, essentially non-breakable device available from 

database for verification purposes. Dallas Semiconductor. Dallas, Tex. A portable processor 
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buttoD may be coupled to host processor-based system 10 instalMoo of die E-STAMP program. The instructions and 

throu^ button bolder 172. Id a preferred embodiment of the screen prongs illustrated in FIG. 2 reflect the installation of 

present iDvention. a batch of buttcms will be manufactured the E-^AMP program in a Microsoft ^'Windows*' operating 

with specifically designated serial numbers far use solely environment on a PC equipped with a portable p9X>cessor 
widi the present invention. However, disposable portable 5 182 and portable processor holder 172. Of course, other 

processor buttons 182, preloaded in various denominations. means could be cnq)loycd for implementing the present 

could also be sold either over the counter or in existing Invention within a host processor-based system 1#. 

stamp machines at post office locations. The postal audiority The user installalioD instructions 201 inform die user how 

may also select to sell pre-loaded portable processors, on to pull up the E-STAMP installation program. Once the 

which the customer pays a deposit, that can be exchanged installation program is initiated, screen 203 will appear, 

for another portable processor or returned for the deposit Screen 203 instructs the user to connect die TMU holder 172 

whenever button 182 is depleted of postage. All authorized to a serial port and to insert die TMU button 182 into die 

postal agent locations may sell i^-loaded portable proces- holder 172. The user is tiien instructed to turn on a printer 19 

son cff die postal audiority may elect to designate particular that has been coupled to die processor-based system 10 and 

postal audiority locations fc^ selling portable processors. check to see diat the printer 19is suppUed widi paper. Screen 

An advantage of die preferred embodiment (die portoble 203 further requests that die usct prepare the following 

processor button 182) is diat a portable i^ocessor button 182 information: the user's full name and address, an identifi- 

is smaU enough and light enough diat several may be carried cation numba- for die user (i.e.. an cmploycx identification 

in one hand. Furthermore, the portable i^ocessor button 182 number (EIN#). if the user is a business or organization; or 

is sufficiendy durable to be sent durough die maU. The fact a social security Dumber (SS#). if die user is an individual), 
diat die portable jffocessor is universally usable widi PC's ^ the user's ZIP code, die user's telephone number and die 

aUows die per unit cost to be lower. user's fax number. The next screen, screen 205 displays die 

Additional alternative embodiments of the portable post- Post N Mail license Agreement with its legal terras and 

age dispensing device 18 are illustrated in FIG. IB. One conditions. Acceptance of the terms and conditions set out in 

alternative postage storage device 18 is a smart disk 188 the license agreement is indicated when die user continues 

incorporating its own electronic modules capable of read^ with the installation program. 

write c^jeraUoDS. One embodiment of such a smart disk 188, Next, screen 207 will appear and display die E-STAMP 

Smart Disk™, can be obtained from Smart Disk Security serial number and TMU serial numbff. At Uiis time die 

Ccsporation, Naples. FUl The Smart Disk™ looks like a user-specific information requested in saccn 203 should be 
floppy disk and fits into a typical PC's floppy disk drive, ^ entered into die E^AMP program. Once die user has 

connected either cxtcmaUy or internally to host processor- entered die uscr-spedfic information, screen 209 will appear 

based system 10; however. Smart Disk™ has its own warning die user to carefully verify die correctness of die 

microprocessor that provides secure, password protected entered information. 

storage. One advantage of die Smart Disk™ is tfiat it can verifying die information added tato die E-STAMP 

operate in a standard PC disk drive widiout modification to program, screen 211 wiU remind die user to ensure diat a 

die disk drive or PC. Smart Disk™ provides security for coiqiled printer 19 is on line. The user information ent^ed 

rto-ed postage widi an encrypted password and die encryp- ^,^^0 die E-STAMP program will tiien be incorporated into a 

tion algoridmL y^^. registration form, one embodiment of which is illus- 

Anodier type of portable postage dispensing device 18 is trated in FIG. 3. The E-STAMP registration form will be 
a smart card 186. a plastic card with an embedded micro- ^ printed in triplicate. The user is instructed to sign and mail 

chq). The microch^ contains mathematical formulas that two copies of the registration form to the creator of the 

encrypt computer data to secure access to that data (Le.. E-STAMP program. Post N MaiL Inc. and to retain one copy 

postage) and verify a user's identity before aUowing access of die registration form. Screen 2U also informs die user 

to die data. One drawback in die currently avaiUble smart diat a registration card wUl be mailed to die user in crder diat 

cards 186 is diat tiiey require a smart card processor 176 the user may access TMU refilling stations, 

hooked to die processor-based system 10. E.STAMP installation program continues widi screen 

StiU anodier type of postage storage device 18 is a 213, which describes die progress being made in installing 

PCMCIA card 184. PCMCIA cards are currentiy used on the E-STAMP j^ogram. and saecn 215. which informs die 

notebook computers for modular storage and communica- user when die E-STAMP program installation has been 

tion. Both external and internal add-on readers 174 (Le., card con^leted 

slots) are available for PCs. Referring to FIG. 3A, diere is illustrated a prefened 

The postal storage device 18 may be used on a variety <rf embodiment of die ErSTAMP registration fcon. The regis- 

host processor-based systems 10. Host processor-based sys- tration form includes information such as the potable pro- 

tems 10 may be located in an individual's home, at any cesser button serial number 31. die E^AMP serial number 
business location, or may even be jffesent in a post office 53 32, the date and time diat die E-STAMP program was 

lobby for after hour usage. In a preferred embodiment, instaUed 33. and uscr-^)ccific information 35 (c.g.. name, 

system 10 is a PC. In an alternative embodiment system 10 address, telephone and fax oumbeis. and identification 

could be part of a main-frame computer or system 10 could number), and a ccpy of die Post N Mail License Agreement 

bcpartofanetwOTksystemofmult^lchostproccssor-based 33 having an identified location for the user to sign. A 
systems. ^ preferred embodiment of die E-STAMP registration form 

Typically, a user will buy a portable postage dispensing will also contain all of die information needed to specifically 

device 18. containing a small quantity of postage, included Identify theTMUlxitton. &STAMP program, and registered 

widi a copy of die E-STAMP program. The user will then user in an encrypted format 301 FIG. 3C. The encrypted 

install the E-STAMP program on the user's host processcn^- Information 301 will be In a machine-readable graphical 
based system 10. 65 security interface, such as a standard bar code. In die 

FIG. 2 illustrates one embodiment of user insunictions and prefeired embodiment, die code would be the PDF417 code 

screen pronqiCs to be followed by the user during the discussed in more detail below. 
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As will be <liscusse(L iadida 300 shown In FIG. 3B also diq)cnsing device 18, via the E-STAMP program, for sub- 
has a Ic^o portioa 39 and a printed *1iuman readable" sequent printing as a postage indicia onto a piece of mail 
portion 38 as well as an encrypted poition 37. It is this through printer 19, coupled to system 10. The utilizatioD of 
portion 37 which is read and, if desired, conqwred to a the E-STAMP program by a customer will be further 
database at a location remote from the user, remote &om the 5 described below, 
generating PC and remote from the portable processGO*. 

The standard bar code contains white and dark areas in the POSTAGEMAKER FUNCnONALTTY 

form of bars that can be read by a laser scanner. The laser DESCRIPTION 

scanner illuminates the white and dark areas widi a light of ^ . . ttw^ ^ * j m . j ^ j 

a certain frequency. Ttic Ught is r^ected back to the ks(i f ^' is illustrated a preferred 

scanner in such a way as to indicate the pattern of white and " ^'^}''^ '''^^u^ on display 13 

bUck areas within the bar code. Since white areas reflect ^ * P^^.^f?' Pf*^f 

much more Hght than dark areas do, a perpendicular scan of ^^y^^^^^ on system 10. Of course, the particular display 

the bar code will aUow the scanner to translate the reflected ^^^^ ^iinstiBt^ in FIG. 4Amay be modified in any one of 

light into the coded information. More than 20 linear bar numerous ways. Also, m a prcfcircd embodiment of die 

code languages have been developed, each with its own present invention, host processor-based sys^^^^^ 

specifications for how many bars and spaces make up a "»P"^ * "^er via keyboard 15 and mouse 16 

character, how characters arc to be arranged, whether the ^oweytt. other vanous forms of input may be utihzed. such 

characters can be letters as well as numbcn. and so forth. «^ « P<=° touch-sensitive screen (both not shown). 

The most widely-used bar code is the Universal Product ^ The main screen consists of function '^buttons** which 

Code (UPQ seen on everyday grocery items. The standard ^ clicked on with the mouse 16 to activate them. At the 

bar code currently used by the post office is POSTNKT beginning of a session, the postal agent must have a supcr- 

ZIP+4 described in Postal Service Publication number 67. v^^r enable the program by putting a master pOTtable 

More sophisticated graphical security interfaces have processor button 18 into holder 17 and cUcking on the 

been developed over ttie Ust decade, such as Intcimec „ function 'lx)g m the Master Button. The master password 

Corporations' Code 49 and Laserlight System Inc/s Code typed into the dialog wmdow illustrated in FIG. 4B. The 

16K. A major advantage of these more sophisticated grai^- password here wiU be passed to the master security button 

calsecuiityinterfacesisthattheycontainan error-correction verifiaition against the one stored mside of it. If the 

formula whidi can often recover the entire message even if password is mcoircct or the button was not &e carcct one 

parts of the code have been torn ot damaged. ^ supervisor an cir<ff will be displayed and the 

A preferred embodiment of en^ypted information 301 is PO^AGEMAKER users wiU be prompted to retry the 

a gr^hical security intaface developed by Symbol Tech- "^^^ operation. 

nologies of Bohemia. N.Y and is caUedPDF417, a portable successfully accompUshed. the postal agent 

dau file. PDF417 is a graphical security interface con- ™st log in to the POSTAGEMAKER system by 

stiucted from data units called ^Wds.** each of which is 17 35 piugging his/her agent p<Htable processor button 19 into 

modules long. Bars are made from filling in up to six bolder 17 and clicking on the function **Log in the Agent 

consecutive modules and each unit has four separate bars Button." The agent password is typed into the dialog win- 

and four spaces. In essence, PDF417 can stack the equiva- ^^"^ illustrated in FIG. 4C. The password here wiU be passed 

lent of up to 90 one-dimensional bar codes, each just tfiree agent security button for verification against the one 

hundredths of an inch high. Thus, AePDF417symbology is 40 stored inside of it If the password is incorrect or the button 

mere con^>licated to produce and scan than is the typical was not the c<Hrect one for this agent an error will be 

one-dimensional bar code and allows for a denser coding of displayed and the POSTAGEMAKER users will be 

information. Because the PDF417 symbology specification prompted to retry the agent login operation, 

includes sof^ticated protocols for error-correction, the Once both master and agent security buttons have been 

actual density of information is highly variable, but can be 45 logged-in, POSTAGEMAKER is now considered to be a 

ten times the amount of information found in U.S.BS. valid aedit server. In this discussion, credit server is defined 

PostNet bar code, per square inch. PDF417 is available from as a host system-based ai^cation which is en^wcrcd to 

Symbol Technologies, Inc. 116 Wilbur Place. Bohemia, allow portable postage di^nsing devices, such as device 

N.Y. 11716 and the operation of the PDF417 is detailed in 18, to become credited with prepaid postage values for 

PDF Primer obtained from them and is hereby incorporated 50 subsequent control of a processor based system, 

herein by reference. If it should be necessary to create an agent security button^ 

When Post N Mail. Inc., the system administrator, the function '^Create an agent Button** should be selected 

receives the signed license Agreement from ttie user, the with mouse 16. A valid logged-in agent button is not 

encrypted ioformatioD 301 can be scanned with a laser necessary for authorization to perform this operation. Only 

scanner so that the information contained therein can be 33 a valid logged in master button is required. Once the **Qreate 

automatically transferred to a Registered User's database. an Agent Button** function is selected and it has verified 

The purpose of this database will be more fiiUy discussed proper authority as has been previously asserted, the dialog 

below. When the encrypted information 301 has been trans- window in FIG. 4D appears. The Agent Id, Namie and access 

fcrred to the registered user*s database, a registration card password must be input so they can be registered on the 

containing a serial number will be printed and mailed to the 60 newly formatted agent button. An exan:^}le of this informa- 

rcgistcred user. The valid entry of the user registration tion appears in FIG. 4E. 

information in the Post N Mail Database guarantees that Once this dialog has been fully fiUcd out, the ^'OK'* button 

uscr*s mail to pass verification at the U.S. Post Office, for the should be selected to continue the operation. If 'tTANGEL** 

letter scanning equipment will be connected to Post N Mail 1$ selected the dialog window appears and Che function 

for real-time verification of mail. 6S terminates leaving main control to (he main screen pictured 

System 10 may be utilized at a customex site for permit- in FIG. 4A. ff "OK** was selected, the dialog window in FIG. 

ting a user to retrieve postage stored within portable postage 4F appears, pron^ting the agent to place a blank button on 
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the interface 17 and hit the ENTER key on keyboard 15 The actual cofnmitting of the credit opaation happens 

when ready (or use mouse 16 to select ttic **01C button on when *t)K" is selected at the bottom of dialog window 4L. 

the dialog). The nwter is credited and dialog window 4N appean to tcU 

The host processor-based systan 10. executing the POST- the agent the q)eration was successful. At this point if 
AGEMAKER program will complete the operations neces- 5 suocessfui a receipt such as shown in FIG. 40 will print out 

sary to format tfie button as an agent security deWcc and if on the designated agency printer. The recent is necessary 

successM will display the dialog window pictured in FIG, because of the new postal value bestowed on the portoble 

4G. Select OK to continue. poslal dispensing device by the credit server POSTAGE- 

To format a new portable postage diqwnsing device, the MAKER. Along with the receipt, a record is kept in the host 
agent must select the '^Create a New Postage Button*' 10 processor-based system 1# of the transaction foi logging 

fiiDctioa by ckcking on it witti mouse 16. At this point, the puiposcs 

dialog window in RG. 4H am>ear$ prompting the agent to * ^ . , , . 

put a blank postage button on the holder 17. Should the Nonnally, the portable processor is completely secure 

operation fail, a dialog warning of this will appear, U tampcrmg but certain conditions migjjt trigger the 

successful, a receipt such as shown in FIG. 41 will print out portable processor to disable itself to protect its internal 

on the designated agency printer. The rece^rt is necessary P^^tal value integrity. Should this ever happen, the function 

because of the initial value bestowed on the postal button by "Attempt to Repair a Damaged Button** can by used by agent 

the credit server POSTAGEMAKER. Along with the to notify the portable processor that the matter has been 

receipt a record is kept in the host processor-based system investigated and do fraudulent actions appear to have been 

10 of the transaction for logging pirposes. committed. This allows the button to start to wcrk again 
To add postage to a portable postage dispensing device. ^ accepting commands from a host processor-based system 10 

ttic agent must select the function, "Add Postage to a Used for both crediting and debiting operations. 

Button** with mouse 16. Once this is done, the portable 

postage dispensing device, which was previously placed on E-STAMP FUNCnONALITY DESCRIPTION 

the holder wiU be read and the cMog v^dow in FIG. 4J Qnce the required amount of postage has been tnmsf ared 

wdlappe^if&ebimwi^^ 25 ^^^^ ^ 

^.viS^l^^jyc h^fi^^ physiaSTcarry the button back to the user's business 

previously registered and is beuKg refilled, a dialog window f™*^^ j -.1.1 to^^ 

Ukt that in FIG. 4J will appeii but with suiylcmcntary f^''^^ 

information as pictured in fKTiL In both cas<i!^tfie buttOD ?f processor-^ased system 10 ttirougb button holder 17Z 

serial number is the same, but user legistiation data has been 30 UP°° invocation of the E.STAMP program by tiie customer, 

completed in the latter version in FIG. 4fc User registration customer* s host processor-based system 10 can access 

information diq)laycd here are: PNM Registration No., ^® postal amount stored in portaWe processor button 182 

Name of registered button owner and ZIP code of registered download portions of the stored postage to the 

button owner. E-STAMP program to be used for printing postage indicia 

In FIG. 41, the button has a current balance of $2.00 and 35 P^*==*^*^ 
expires on Aug. 23. 1995. By filling in an amount in the Rcfcning next to FIG. 7, there is illustrated a flow 
Transaction Balance field, the agent can refill this button, diagram of the jhwcss employed within host processor- 
even though it lacks registration information. It should be ^^^^ system 10 configured for allowing a user to print a 
noted however, tfiat the E-STAMP program will not allow postage indicia. As previously discussed, the E-STAMP 
transactions to be made with this button before it has been 40 progr^ toay ^ a stand-alone program, or it may be 
registered with POST N MAIL and a valid registration associated and coupled with a word processor progranL 
number has been stored on the portable processor button. Therefore, the E-STAMP program may be started directly 

In no. 4K, (he already-used and registered button has a '^^^^ or via step 701. Thereafter, at step 703, die 

cuirent balance of $102,09 and its expiration date is Aug. 23. E-STAMP program shows display 80, illustrated and 

1995. Expiration date is always set by POSTAGEMAKER 45 <*escribed with respect to FIG, 8, to the user, 

as 90 days from the date of r rfill This implies that revisits Next» in step 704. as shown in FIG. 7. the E-STAMP 

for refill operations must take place at least once every program verifies the existence of portable processor button 

quarter. This is an arbitrary restriction and can be changed if coiq>led to host frocessor-based system 10. If portable 

desired. processor button 182 has not been inserted within its holder 

Continuing with the refill operation, if the agent is 50 172. at step 705, a message is flashed to die user to insert 

requested to put $100 worth of postal value on the portable portable processor 182. If the wrong portable processor 

postage dispensing device by tfie user, this amount is entered button, or a pcHtablc processor button not programmed for 

in the ^Transaction Balance" field with keyboard 15 as E-STAMP program, has been inserted and 

shown in FIG. 4L, Selecting the **Acccpt" function at the coupled to system 10, a warning is flashed to the user to 

bottom of the dialog window wiU give another dialog 55 ii^sert an authwized, or valid, pOTtable processor button 182 

window foi validation puiiposes, such as that in FIG. 4M. ^ illustrated in box 706. The process of portable processor 

Clicking "OIC* makes this dialog window dis^jpear and verification represented by box 704 includes several steps as 

control returns to dialog window 4L with the "Refill Bal- follows: 

ance" field filled out witii tiie $100 ^previous balance of $2 Step 1— Successful communication with portable proccs- 

giviog total $102. Clicking **Canccr in Dialog window 4L 60 $or within its strict communication protocol and com- 

siraply returns to dialog window 4L witiiout updating the mand structure already demonstrates likelihood that at 

refill balance field. Selecting *T<cEntcr" at the bottom of least die type of button is correct (Le.. it is more than 

dialog window 4L allows the 'Transaction Balance** field to just a Dallas ScmiconductOT button, it is a button 

be redone in the case a mistake was made. The **Cancer running tiie proprietary code particular to the postage 

junction at the bottom of dialog window 4L simply cancels 65 apj^ication outlined herein). 

the function and returns control to the main window pictured Step 2 — Serial number of portable processor is verified 

in FIG. 4A. against encrypted registration information in the PC. 
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If a valid portable processor button is coupled to system comer of a specially designed envelope 900 illustrated in 

10, at step 707, other information stored in the secure FIG. 9 and as shown in oo^nding Design Patent applica- 

environinent of the portable processor is demanded via the tions Scr. No. 29/022,913, filed May 16. 1994, and Scr. No. 

common command structure used for host-to-button com- 29/039328, filed May 24, 1995, both incorporated by ref- 

munications. The process of portable iffocessor connection 5 crcncc herein. 

represented by box 707 includes several steps as follows: Envelope 900 may be a st^dard or noit-standard size with 
i cy^^xtn j ^ Boy numbcT of wittdows 83 dcsigDcd by thc uscT. Typically, 
Step -E-STAMP passes user password entered to por- ^ ^ ^^^^ ^ ^^^^ 901 in the top right 
table processor and venlication takes place wittun the ^^^^ ^^^^ through, 
secure environment of the portable processor button to Envelope 900 may also have other windows for the address- 
guarantee maximum secrecy of the password. Pass- lo n^me and address (903) and for a return address (902) 
word is never stored in host processor-based system 10. to show through. Envelope 900 may have glassinc paper, or 
Step 2 — If Ae portable processor reports a result firom other transparent covering material 9(M, covering the 
Step 1 as a password match. E-STAMP will then be described windows sudi that the postage indicia and oth^ 
able to access the command facilities of the portable imprinted information is protected from inadvertent detach- 
proccsscr to ultimately print postage indicia thereby nient and adverse conditions (sudi as inclement weatha). 
deducting value from the internal daU representation <rf Thereafter, in step 711, the user enters the weight of the 
credit within the portable processor. package or lettCT associated with the postage indicia. This 
^ «^ wi : • ^ weight may be entered manually, or automatically through 
Stq> 3-Portablc processor verifies its own cTjpiration processor-bascd system 
date based on an internal real-time clock. Host ^ lo in a manner weU known in the aS In step 712, the user 
processor-based system 10 never has opportumty to ^^^^^ ^ ^ j^^^ ^^^^^^ ^hown in box 809. 
interfere m this deasion. Thereafter, in step 713, the user may select the location of 
Step 4 — ^If the result of the expiration date check of Step routing information for the recipient address. Such informa- 
3 is that the portable processor is still valid, the user tion will be automatically extracted from the address, and 
registration information stored in the host processor- 25 fonnatted in the PostNet symbology for ZIP+4 information, 
based system 10 is passed to the portable processor for as provided in Postal Service Publication 67 and incoqx>- 
validation. rated herein by reference. 
Step 5 — ^If the check of Step 4 is valid, the cinrent meter Typically the postal indicia may include any combination 
balance is displayed in the center-button pact of the of the following iafonnation: the date, the postage dispens- 
E-STAMP program screen block 80lS. just to the left of 30 ing device serial number, the sender's ZIP code, the addrcss- 
the traffic light icon which will also display ^^green** to ee*$ ZIP code, the eTqiiration date d the postage dispensing 
indicate that a valid portable p^ocessor button is avail- device, the cumulative values of die strike and dollar 
able for use in printing postage indicia. If any of the counters, PNM registration number and the post office 
above checks are invalid, the traffic light di^lays 'ted" identification number. The postage indicia shall contain this 
to indicate that a valid postage dispensing device was 35 information which was encrypted by the portable postage 
not detected. dispensing device and presented to the outside world thusly. 
Next, at step 708, retinn address box 803 is conipleted thereby guarding the data content of the indicia a secret to 
automatically or manually. The address within 803 may be all but the U.S. Post Office scanning equqsment which will 
automatically entered from the adjoining word processor be charged with decoding the indicia bar code and deciypt- 
{sogram. the address may be selected from a drop-down box 40 ing the information for use In verification of the integrity of 
(not shown), or the address may be manually input Any the indicia. The postage indicia physical fonn may encode 
entered address may be saved within the E-STAMP pro- the encrypted information within an insignia or design, or it 
gram. Additionally, if a return address is not desired, it may may ^>pcar as a background the postage amount printed 
be omitted. in a visually recognized form. 

Thereafter, in step 709, the contents of address box 805 45 FurthcrmOTC, the use of the POSTAGEMAKER program 

are entered in a manner similar to &e contents of return in conjunction with a database program will allow the 

address 803. authorized postage by post office location (or ZIP code), post 

Any one of a number of ^time-out"* scenarios could be office agent, portable postage dispenser serial number, etc. 

cnqsloycd. For example, a preestablishcd time of three This informatioa can be easily compiled to determine post 

months from last refilling, or the time-out could occur a 50 office sales, market forecasts, etc. 

certain time after non-use. The E-STAMP program will automatically incorporate 

Next, at step 710. the user may select the print format by the aforementioned entered parameters — ^weight class « 

the use of the "Print Setup** standard dialog box selected in zone — in order to cosrectly calculate the correct postage to 

the "Tile*" Menu as pictured in FIG. 8A. As illustrated, the print in conjunction with the postage indicia and to deduct 

postage indicia may be printed on a label through printer/ 55 ftom the postage amount stored within portable processor 

label maker 19, or a choice may be made to print the postage button 182. 

indida on an envelope inserted within printer 19, which may Lastly in step 715, the user confirms his/her diolce to 

be chosen to be a standard size or a nonstandard size as print the postal indicia or not, thereby with the undcrstand- 

selected by the user. Note that if the postage indicia is to be ing that that amount of postage will be deducted from the 

printed on a label, it may be desired that the return address 60 balance in the portable postage dispenser 182. If YES is 

within 803 and the address within box 805 not be printed. chosen, control passes to sXep 716 and the E-STAMP pro- 

Alternativcly, the postage indicia and the addresses widiin gram utilizes the input/output ports of host processor-based 

boxes 803 and 805 may all be printed on a flyer, a pamphlet, system 10 to send to printer/label maker 19, the correct data 

a postcard or a sheet of paper. Whenever the indicia is pertaining to the indicia to be printed on an envelope, letter, 

printed on a letter, along widi the addresses in boxes 803 and 65 card or label. 

805, that letter may be folded so that the indicia will show The amount of postage printed on the indicia is automati- 

througb an opening <x window 901, in die top right hand cally deducted from the amount stored within portable 
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processor buttoo 182 by (he button itself on command from Postal Authority/Refill Station (POSTAGEMAKER) vet- 

the host processor-based system 10 in step 716. Other sion of system 10 before a refill cs initialization operation of 

intenial informatioo is automatically updated, including the a postage button can take place. 

usage record for this paiticiilar pwtablc processor, which is j^^^ ^ ^ ^.^^ ^ ^ by 

teptinteInaU}^bmac«sslhletoa«ouuU^ j Auth^ty/ReSlsLtion soflwaie during leiill 

nzed oommands. Such usaee records include, but are not ^ l l ^ y» . . i-j ^ ^ ^ 

limited to. addressee, postage amount date, ank the Snal ^^<'^f- ^I'^^" ^> ^ 

d&Qomina^^ ^uu^uu^- *uiu uiij^*! customer's E-STAMP s<rftware prior to the commencement 

Note that during the selection of the various parameters P^^S operations. The sequences for vali- 

within display 80, the E-STAMP program may be in^c- ^ "^ster, agent and postage buttons using the Postal 

mented to update the postage amount displayed within meter Authoiity/Refill Station software are depicted in FIGS, 

display 806 as the ongoing communications dialog between lOA-lOF. 

the portable processor and host processor-based system 10 is The Postal Authority validation jsocedure for a button 

essentially a reaJ-time basis. coupled to sysUan 10 begins at Step 1000 (FIG. lOA). with 

Box 802 is provided for the user to insert the location the initiation of the POCTAGEMAKER refill station soft- 

(ZONE) from which the mail is to be sent. Thclocation may ware. For discussion purposes, assume only one portable 

be used to calculate the correct postage for the indicia. The processor button 18 has been coupled to system 10 at (his 

date that the maU is stamped is automatically adjusted every 1001, fee software reads the communication 

daybyareal-tiHKciockwWchexijste ^us to see if any valid devices exist on it. If no. it just 

the portable proct^sor ^^thercfore cannot be tainpered ^^^^^^ ^ «i . ^ POmiAKER 

withby«ternal influcncc^Tbswin he^^^^ 20 ^^^^^ ^ ^^^ ^^^^ 3 command to die 

or post-dating of maiL The date and if desired, tune, shall ^able processor button 18. as in Step 1002. to demand 

also be encrypted m the postal mdiaa for external voifica- information for the button. The button, which is reset 

« . « . , ,r ^ from a "sleep" or dormant state when it receives the 

TTie 'Ftmt Preview" option selected from the file menu in command, can verify its contents to be correct and that it is 

FIG. &A is provided to not only get an idea of how the 25 the type of button (POSTAGE or SECURITY DEVICE) that 

finished envelope (or label) will look but to add personahzed ^^^^ ^ ^ ^.^ jf ^ 

Items such as a greeting or graphical bitmap which imght „^ ^ack before a time-out in Step 1003, it is 

represent a company logo for mstance, assumed that die button on the communication bus is not 

TTie aforemenuoned ^eps may be repeated for a subse- and an ernir message would be dispkyed. If the 

quent piece of inaiL or the user nmy <tecoupleto^ 30 response is OK, it is implied that there is a good chance this 

process button IW from the system 10. .3 ^ PNM-programmed button because of its vaHdated 

Using die EOTAMP system and rnethod, users hke ^^^^ ^ Pmf-specific command issued to it 

lawyers, accountants, advertising agencies, etc.. who bill ^ ^. . ^ ^ 

their cUenU for postage will be able to keep track of postage , ^ ^T'^ depending on Ae type of button expccied. 

expenses on a pci-dient basis. 35 the sUtus information^^ 

type in Steps 1005. 1006 and 1007. Based on the decision of 

POSTAGE REFILLING CONTROL what type it is, a connect operation for that type of button is 

In the prefencd embodiment, portable process^ button atten^Aed in Step 1008, 1014 or 1019. If master or agent 

18 includes secure non-volatile (battCTy-backed) memory security device, a security device type of connect is issued 

and a CPU (central processing unit) enable of executing 40 button and a coirect response must be received by the 

instructions. These items are enclosed in the confines erf a host system 10 before proceeding. In Stq)s 1010 or 1016 a 

hermetically sealed metal can. While the internal operating master or agent password is demanded of the user depending 

code which gives the portable processor its useful attributes which type of button is being serviced. Step 1011 

is kept in ROM (read-only memory), the extremely sensitive validates this pas swad by passing the password to the 

data representations of mon^ary value, strike counters, 43 button so that it can verify it in its own secure environment 

usage logs, refilling logs and encryption keys used to cnoypt The password is never stared in host system 10 fa: security 

the information passed to the host p«Y)cessor-based system reasons. A positive validation of password from the button 

10 which executes E-STAMP and is then conveyed to a ^ host authority level of 1 for master and agent 

postage indida for use in mailing a parcel. simultaneously on the bus and authority level 2 for master 

As discussed in further detaU below, there are ttiree 50 ^ 

dififerent types or applications for the portable processor Assuming diat the button was a POSTAGE type and the 

button 18 which relate to different levels of authinity and connection which was made in Step 1019 is made and 

use: Master buttons (Authority Level 2) which arc provided verified in Step 1020, the POSTAGEMAKER software does 

to a limited number of siq>ervising postal authority person- not require die validated password of the POSTAGE button 

nel; Agent buttons (Authority Level 1) which are provided 55 continue. Howeva. it will check that the propo- authority 

to authorized postal agents who perf onn refill operations on level two has been previously granted by the presence of 

used portable postage di^nsing buttons and initialization both a validated agent and master button on the bus at the 

operations on new portable postage dispensing t>uttons; and same time in St^ 1021. If the proper authority level has not 

postage buttons (Authority Level 3) which allow the postal been attained, no operations may be performed on die 

customer (user) to jnint an authorized amount of postage 60 POSTAGE button. If that authority exists, control can pro- 

indida using a sqsarate host processor-based system con- ceed to Stq> 1018 in die case of a customer demand for new 

trolled by die user. In actuality, the first two types of buttons button initialization, old button credit refill or old. damaged 

are known as security devices which grant authority to serve button r^xiir operations. 

credit and maintenance to the third type d button which is The credit r^ opaadon to a used button is depicted in 

a postage di^sing device usable by postal clients. 65 FIG. lOB. step 1030. The credit command must first verify. 

In the postal authcnity (or authorized refill center), bodi a in step 1031, its authority level is conect and set at one by 

valid master and a valid agent button must be coupled to the the presence of valid and password unlocked master and 
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agent buttons. Provided this is the case, in step 1032. the 
amount of postage to be credited to the button is input by the 
authorized agent into a form dialog window and validated 
for correctness by the POCTAGEMAKER software. In Step 
1033, the CREDIT command, amount and a conglomeration 
g[ encrypted data known as a security packet are sent to the 
POSTAGE button which must decode and validate and if all 
appears to be valid, perfoaro the credit operation before the 
time-out signified in step 1034 which will occur if the 
response does not come back from the button to the host 
system 10 in a specified period of tune. It is die security 
packet that allows die button to continue with the credit 
operation. This data structure has a predefined layout and 
contents which are encryf^ed using a certain key and method 
of encryption. This security packet contains data items, such 
as identification numbers of master and agent issuing the 
CTcdit to the button, host date/time (which must matdi not 
exactly but closely with internal button date/time), worksta- 
tion number for host system 10 nuining the POSTAGE- 
MAKER software and postal authority location identifica- 
tion. Other data items could be used for checking purposes. 
This security packet is different in form and function from 
the one described herebelow in FIG. 6. 

FIG. 5A. which begins witf) step 500. depicts the tredit 
process. Box 501 reviews the material received from the 
host to detennine validity. Boxes 502-504 validate the 
security packet Box 505 validates the propa button is on 
the bus. Boxes 506-507 validate the valid credit amount and 
box 508 iqKlatcs the internal memofy. Box 509 ends the 
routine. 

FIG. 5B shows the button Debit Process which begins 
widi box 600. For boxes 601-605 a transaction buffer 
request from the host is checked. In boxes 607-60S the 
validity of debit amounts on the bus are checked. Box 609 
updates the internal registeis of the button and box 610 
aeates die security packet for transmission to the host Box 
611 ends the routine. 

Referring to FIG. 6 there is illustrated a preferred embodi- 
ment of the transformation of user information by the 
portable processor button into a data entity known as a 
security packet which is then handed off to the E-STAMP 
plication, running in a host processor-based system and 
transformed into an indicia for inclusion on an envelope. 

The process begins in Box 650 in the software, running in 
the host processor-based system, when a user fills out an 
envel<^ and demands of the program that it be printed with 
an indicia of x amount of postage determined by weight 
zone, etc.. as shown in boxes 654. 655 and 656. Much of the 
information to be jninted on the envelope will be transfcircd 
to the internal software printing functions which interact 
through interfaces with the **Windows*' operating system by 
methods well known in the art 

In addition and before this hand-off of information is 
accoo^lished, in Step 651. the program sends a command to 
the portable processor button 18 (FIG. lA) to create a data 
entity or f onn known as a security packet Included with the 
command is the data that will produce the envelope which 
includes, but is not limited to, date and time, current balance 
oi metering device, strike counter of total transactions, serial 
numba of meter, transaction id. debit amount addressee ZIP 
code, addressee name and class of postage. There is also a 
con^lement of information about the user: registration id. 
name, company and address. Included for secure access to 
the button is the personal identification number (FIN) which 
is the password used to unlock the button and is validated 
within the secure environment of the button. 
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Once the FIN is validated, the secure i^ocessor 18 accepts 
all of this data from the host process-based system and in 
Step 652, using internal math coprocessor hardware, encryp- 
tion software algorithms and encryption keys, the portable 

s processor produces the security packet using information 
from Boxes 657 and 658. The encryption algorithms can 
advantageously be RSA public/private key but might be 
changed at any time related to security issues. Indeed, dus 
security packet {s^oduced in the seaet and secure environ- 

.0 ment of the portable processor becomes indecipherable to 
the outside world including the host processor-based system. 
The only odier entity which should have knowledge of die 
keys to be able to decrypt this packet would be die postal 
authority in dieir designated mail sorting and scanning 

5 centCTs. 

In Step 653. the security packet is transmitted back as a 
response to the host processor-based system. This indeci- 
pherable security packet is then handled blindly by die 
program to the point where it is passed on to a software 

^ function within the program which will encode security 
packet 653 into a bar code image. The program then takes 
this bar code image, includes certain other unencrypted 
infc»mation for the visual identification of the postage 
indicia and passes this through the programmer's interface 

^ to the "Windows'* system to the standard printing facilities 
of that environment in a fashion well known in the ait. Also 
included in this step is die passing of the return and 
designation addresses and all other parts of the envelope 
which must be printed and can vary based on user choices 

^ before the printing step. 

These "Windows" printer drivers, supplied with the 
"Windows** system and apart firom the E-Stamp system, can 
change for any given printer installed, isolating an applica- 
tion program such as E-Stamp from die innate differences of 

^ these printers in a fashion known as "device independence" 
also well known in the art The driver, in Steps 655 and 656. 
does its work of printing cm the envelope. 654. which has 
already been inserted in the printer. 

Q In Stq> 1036 (FIG. lOB). a receipt is printed out for die 
customer and die results are written in a transaction log 
stored on host system 10 or on another system 10 connected 
to die system 10 running E-CTAMP or POSTAGEMAKER 
through a local area network. 

3 The POSTAGE button initialization operation for new 
(never used buttons) is shown in FIG. 10c beginning at 
STEP 1040. The initialization command must first verify, in 
step 1041. its authority level is correct and set at two by the 
presence of valid and password-unlocked master and agent 

0 buttons. I^ovided this is the case, in step 1042. the initial- 
ization function must locate a "blank" button on the bus. A 
blank button is defined as one which has pre-loaded oper- 
ating instructions in its internal read-only-memory which are 
specific to the PNM/Postal autiiority application outlined in 

5 this patent. The operating instructions must also be of the 
type of button being initialized. Thai is. those instructions 
for a POSTAGE button are somewhat different than those 
for a SECURITY DEVICE button necessitated by the dif- 
ferences in their operating behaviors and functions. 

0 When a button. POSTAGE or SECURTTY DEVICE type, 
receives an initialization command from die host system 10. 
it must first have instructions in it to tell it what initialization 
means and what should be performed to accomplish this. 
Thus, it is the button that Inidalizes itself after receiving a 

5 command from a host system 10. not die host system 10 
directiy writing in memory locations widiin the button. The 
architecture of the button is such that outside influence can 
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DOt directly change its operating instructions or memory. the gross differences in their operating behaviars and func- 

The host system for the button can only issue commands as tions. When a button, POSTAGE or SECURITY DEVICE 

defined in a narrow set of criteria to the button to make it type, receives an initiaiization command from the host 

perfonn a task such as initialization, credit or debit opera- system 10. it must first have instnictioos in it to tell it what 
ttons and repair of damaged memory. s initialization means and what should be performed to 

In Step 1043, the actual initialize command is issued from accomplish this. Thus, as discussed above, it is die button 

host system 10 to button and response of ccanpleted or not ^ initializes itself after receiving a command firom host 

must return befcre the time-out period as shown in step system 10, not the host system 10 dirccdy writing in 

1044 memory locations within the button. The architecture of the 

In step 1046, the positive or negative outcome are dis- 1° button is such that outside influences can not directly change 

played on host system 10 dispky screen to the agent. The openiting instructions or menwry. The host system for the 

transactionisloggedandacustomerreceiptisprintedoutby ^'f °" ^ only issue commands as d^ed in a narrow set 

POSTAGEMAraR before ending the initialization ftino- ^ the button to make it perfonn a task sudi as 

jJqjj initialization, credit or debit operations and repair of dam- 

The internal layout of data in RAM for a POSTAGE *^f^^°^, ^ i t i- ^ • 

button is depicted in HG. U as box 1201, , In Step 1063, the actual Initialize command is 

^~!,,™. .... „_ host system 10 to button and response of completed or not 

PpSTAGE button repair operation is shown in FIG. ^^^^ tj^^^, ^ 1^ 

Wp bepnnmg at step IftSIL The repan- command must first outcome is dis- 

verify. in step 1«51, Its authonty level IS correct and set at „ , . . in j.- i » . 

one by the presence of valid and password-unlocked inaster P'^yf*" °° host system 10 display screen to the agent. The 
A '^'^y^^"^^ ;r7^rr^.*T . . ^li, newly formatted agent button may now be removed from its 

andagentbuttons. Provided this IS the case, in step 1052. the ' j j- j . . ^ ■ 

repair function must locate a damaged, but still v!jid POST- o aJV '^'^ owner The internal 

AGE button on the bus. A damaged button is defined as one S^^- nO^'w^ " " 
which has some internal memory location(s) which have „ . . ', '„ ... ^, , . ,^ . 
been lost or changed because of internal program eirars in ^^^"^ '° ^0. IDA. and to the sda of fi^^ 
the POSTAGE button itself. Another t^^ "damage" discussion and undastanduig of this POSTAGEMAKER 
whidi may need repair might result if a POSTAGE button vjdidation process, if a real-world situation pr«ente 

had ever been lilted from its holder whUe a host system 10 ''^fj^^ ?^ ^ °^ ^*ASTER 
wasissuingcominandstoitandthebuttoowasinthemiddle „ and POCTAGE happen to be on the bus at flie same time, the 
ofexecutingsomeoflhosecomnandsandtheuscrliftedthe " FoP" button is located its respond aft» a s^^ 
button off of its holder. This would then immediately stop V^JJLI* SZ'^^L POSTAGEMAKER. 

execution of the internal operating code of the Iwtton. fuithemwe fteTOSTMAKm^ft^^ 
perhaps leaving the results of the intended chelation hide- * ''^l"™ that button's physical position on the 

jgjjojm^ bus IS not ofimportance. Once a button has been located and 

A more permiment kind of damage might be the loss of " "1^?^"^ w T'iJ^^a^SSi A^JiS^'^ni?^ 
internal RAM or ROM whidi w<iild i^bably be cata- °° f ^^J^^^^^ Th^ flexibility lends 

strophic enough that total replacement oTthe button would ^ ^ forgivenessto ord« of log on of Maaer or Agent 
be I order. Suet replacement would necessarily dicUte ^r^Z^f^!^^^^^^^ 
marking the button serial number as invaUd in the ^ user ^ ^™ ^ ^'^'^ 

registratioD database and entering the new button serial PREFERRED EMBODIMENT— PORTABLE 

number for that user once it has been replaced and regis- PROCESSOR LAYOUT 

na 11 depicts a functional layout of the Dallas Semi- 

In Step 1053. the actual Repair command is issued from conductor **smart*' button 182 which is the preferred 

host system 10 to the POSTAGE button and response of 45 embodiment of the portable postage dispensing device. The 

completed or not must return before time-out period as smart button is so called because of its button-like appear- 

shown in step 1054. The button must act on this conunand ance and small size and built-in memory 1104, 1107 and 

by checking its interna] structures insofar as it can to sec if processor (CPU) 1101. It is a microprocessor contained in a 

all is as it should be. If nothing seems out of order, there is hermetically sealed metal can with several other *1iybrid'* 

no repair work to be done. Otherwise, anything that can be 50 con^nents which make it even more useful in a secure 

reinitialized will be, and in any case, the results of the environment. 

operation are reported back to host system 10 and displayed Central processing unit (CPU) 1101 is a more efficient 

in Step 1056. copy of the original 8051 microprocessor of Intel Corpora- 

The AGENT button initialization operation is shown in don. l ikg most microprocessors, it executes instructions in 
FIG, lOE beginning at stq) lOM. The initialization com- 55 sequence out of a memory, in this case, 8 Kbytes of read only 
mand must first verily, in step 1061, its authority level is memory (ROM) 1107. This sequence of instructions is 
correct and set at two t>y the fvcscnce of a valid and sometimes known as a program or as operating code. Any 
password-unlocked master button. Provided this is Uie case, process which has been programmed into a CPU will also 
in step 1062. the agent initialization function must locate a require data to represent various control aspects of its task. 
*1)lanir button on the bus. A blank button is defined as one 60 Most of die data for die PNM postage dispensing devices is 
which has iH?-]oaded operating instructions in its internal kept in the 3 Kbytes of random access memory (RAM) 
read only memory which are specific to tiie PNM/Postal which are non-volatile. Scmiconductcff RAM loses its con- 
authority application outlined in this patent tents once powa is removed from it thus its volatile nature. 

As explained above, the operating instructions must also Where this unique device draws its power from will be 

be of the type of button being initialized. That is, those 65 discussed herebelow. However, in order to not lose the 

instructions for a POSTAGE button are somewhat different contents of the RAM t)etween uses of the button, a small 

than tfiose for a SECURTTY DEVICE button necessitated by battery 1103 with a life of 10 years is present 
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Included is a set of registers 1102 for various uses as 'Initial Fill Button Inventoiy Database** simultaneously with 
discussed herein. Id addition to die normal registers which its inclusion in a shrink-wrapped package of software to be 
are part of the 80Sl-like architecture of the smart button. shij^wd to users of ttie verification system. Once a given 
(hoe are several other general purpose registers which software package, button included, has been obtained by a 
p-ovlde such features as timed access to particularly sensi- 5 potential user, he/she tmist fill out an electronic user regis- 
tive RAM locations (such as the location of a oyptogr^hic "^^^^ present embodiment is ttiat of a "Win- 
key). Another register is used f« sequence checking of the J^^*^ separate from the inain program but 
operating code of the smart button. The use of this feature is » ««> the system installation disks. The reg- 
in making sure that the code is executing in the proper '«?»'«°" P««™^m««' a^ part of the installation 
sequence and has not somehow jumped out of its normal lo ^"t^. '<> issue postage. The 
path of execution because of an anomaly of programming or of the u^ filling out the form, sending it and the 
duetotampering. Anotherregisteiisareal-timectockwhich sfill-unrepaered button baclcfor reg«tration to be scanned 
givcsthebuttonself-suffidencyinknowingwhallheairrcnt tnto toe u«r re^tation database for 
time is relative to its explradon date and also as an unim- "Step 1401 and Step 14W. Ako mcludedin these 
peachable (in the sense that it can not easily be externaUy is f^' « Ihercmovalof the button ftom the Initul FUl Button 
tampered with) source of date stamping for the postage ^"^"^ Database now that it is a vaUd registered postage 
Ijj^j^^ ^ dispcnsmg device. Iq effect, the button. With its unique scnal 

, . ^j^.r number, was moved from one inventory to another. 

Several oflier specu^ features have been added just for purthexmore. as will be seen in future steps, the user 

PNM use. Itee is a 768-bit multiphcr arcurt whidi can registration database wiU be used for far more than just 

mul^plytwo 76&-bit op<™dsm«^^ 20 „Qnnal ^^^^tion of a software product, 

application of this is for the cryptographic chores which aie ^ 5 ^^^,3 ^ ^ ^ 

necessaiy in secure communications between host system 10 ^ ,7 r* . . "r ""^'^ m^uw uuuvu, 

to^ - *u f *. ■ J u * now fully registered and therefore legal to use m postage 

and button 182. Another feature IS random number generatcH' ^ si -.^^i. 

1 1 AS *^ «i «««*t, ^ A «^+ufL f-„< transactions. The user inserts the secure meter (button) in its 

1108. also for cryptographic algorithm use. Another feature - ^ ^ ^ , j • . .1. . \_ . 

J J T ^ fr^r^\ 4. iiA^ * interface receptacle and invokes the system control program 

IS a cyclic redundancy check (CRC) generates 1106 for use ^ ^ ^ ^ ^ l j ^ ^ * 

• • —1*. • ► -1 * ^ * • J £_ on the PC. Once a letter has been produced, with a certain 

m communications to verify integnty of data received from ^ - j^.^^ 

^.^^-A amount of postage, this amount of postage IS deducted from 

the host system 10. ^. f ^ j j *i. ui / x u 

^ the amount stored in the portable processor (memory) by 

One feature, not specific to this system, but necessary all commands from EnSTAMR The postal indicia with 

the same is a universal asynchronous receiver transmitter encrypted form of user informadon, postage amount, 

(UART) circuit 1109 for communication with the outside ^^tc, strike counter and other information is printed on a 

wOTld, This UAKT makes oontoct with host systems via the ^ibtX for sticking to an envelope or actually printed on an 

metal case surrounding the smart button. This metal case envelope. At this point, the mail object is entered into the 

must come in conUct with an interface circuit bus which is system of the Postal Authwity in Step 1401A. 

ultirnately connected to a ^^^^ system 10 via means weU ^ ^ of mail has been gath^ed and 

knownin tfie ailThe UART takes care of the taskof sendmg ^^^^ ^ processing fadUty. In Step 1405, the article 

and receiving bytes of informauon and mforming the CPU ^ p^,, 

0 Its status. indicia using bar code scanning technology coupled with 

Another function of this drcuit is to take "parasitic" industrial automation toward the goal of validation of the 
power from the host interface. This parasitic power is the ^ pre-paid rights to send the artidc of maH. The system, in 

voltage and current actually used to give the CPU and other step 1406. uses a series of criteria and checks to accomplish 

circuitry the power it needs to function at high speed without this. Exaiiq)lcs of criteria indudc, (but are not limited to): 1) 

the need to draw on the internal battery for anything but just the fact that the indicia, which was encrypted in Ae 

keeping the contents of the RAM and the realtime dock secure environment of the portable postage dispensing 

register live. Bus 1110 connects all of the internal devices device, can be decrypted gives a basic comfort levd of 

togctiier so that they can function as a unit. The manner in validation; 2) Check against the central user database for 

which the UAKT and parasitic power are arranged to inter- validation of expiration date, expected t>alanoe of meter as 

face with the outside world, through the metal can of the of now and special flags fw lost or stolen postable postage 

processor is unique and leads to increased usability for the dispensers giving the capability to invah'date them imich in 
entire device. ^ same way lost or stolen credit cards can be invalidated 

MEMORY LAYOUTS because of their validation against a central database. 

If the artide of mail passes, in Step 1407 A, the mail is 

FIG. 12 is the layout given to the 3K RAM in the routed to its nonxial destination. However, if the article of 

preferred embodiment for a postage button. All registration niail does not pass one of the tests, it is rejected to Step 
identity, current balance and history logging data are stored 55 1407B where an entry is written in an Anomaly database 

in box 1201. 1407C of items to be investigated. 

FIG, 13 is the layout given to the 3K .RAM in the The refill. Step 1408, haiqjens asynchronously to the rest 

preferred embodiment for a security device button such as of the steps, but is included, nevcrthdess, because of its 

an agent or liiastcr. As can be seen by comparison with FIG. contribution to the overall process loop. This is performed 
12. the SECURITY DEVICE is a similar, but limited subset 60 when a user has used most of the pre-paid credit on his/her 

of the POSTAGE memory definidons. There is just enough meter (portable processor) and must return &e portable 

data in box 1301 to identify its owner and to provide logging processor to an authorized refill station, such as the Postal 

services in wder to better know how various buttons are Authority. The preferred embodiments may indude simply 

being used. a host jn'ocessor-based system used by one authorized agent 

Referring now to FIG. 14, the process begins at Step 1400 65 to serve walk-up clients or an automated process whereby 

where a button is initially created and given a small token postage processor buttons are refill-processed in batches 

value. The button creation is marked by its entry into an widi little human interaction. In either case, the user pro- 
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Wdes his/her p<Mtable processor (memcny) to the authorized 
agent, along with prcpayxDcnt in the form of check, credit 
card or private account The p<Htable jsocessor is credited 
with the prepayment amount using a PC which is executing 
to accon^h this in a secured and authorized environment 5 
Once the portable processor has been credited, it is returned 
to the usa*. who can then continue to freely use the system 
to issue postage until die next time the portable processor 
must be refilled with pre-paid credits. 

The other inqxirtant coDtnbutioD of the system is its 
updating of the central user database with information on 
renewed e:q>iration date* user pre-paid balance, refilling 
station identification, etc. This information is invaluable in 
the validation Step 1406. 

As discussed above, the process loc^ gives the benefits of 
accounting and auditability of fx^-paid electronic postage to 
the adopting Postal Authority. 

While the invention has been shown to woxk in conjunc- 
tion with a postal indicia system, it should be understood 
that the indicia is simply a printed form of a data packet 
produced by the cooperative effort of the PC and ttie portable ^ 
processor. The data packet contains information that can be 
used for look up purposes in the database. Ihus. the data 
packet can serve to authenticate any data stream coming 
from the PC or can be to authenticate itself, diexeby granting 
a user certain privileges, based upon the authentication. For ^ 
example, die data packet could be associated widi airline 
tickets, either in printed form or in electronic form. In either 
event, die data packet associated with the document to be 
checked is authenticated Co prove the authenticity of the 
accon^anying data. As noted, the ''other** data can be ^ 
printed (the data packet would then be printed and scanned 
into the system) or the '*other** data could be electronic (the 
data packet could dien be electronic and read directiy). 

The afcarementioned E-STAMP and POSTAGEMAKER 
programs have been shown and described with respect to a 
"Windows" operating environment on a PC. Of course, other 
means could be employed for in4>lenienting the present 
invention within a host processor-based systenL 

Although the present invention and its advantages have ^ 
been described in detail, it should be understood that various 
dianges. substitutions and alterations can be made herein 
without dq>arting from the spirit and scope of the invention 
as defined by the spptndcd claims. 

What is claimed is: 

1. A method of establishing certain ones a plurality of 
portable prcx:essors as valid processors for the subsequent 
generation of graphical security indicia, said method includ- 
ing the steps of: 
temporarily connecting one of a pool of said portable 
processors to a computing system having its own 
processor separate from said a»inected portable pro- 
cessor; 

sending a data stream from said computing system to said 
connected portable processor, said data stream inter- 55 
acting with data previously stored unalterably within an 
authentic one of said portable processors to produce a 
protocol internal to authentic ones of said portable 
processors; 

letiniiing to said computing system from authentic ones of 60 
said portable processors under control of said produced 
protocol a data stream including a copy of at least a 
portion of said data unalterably stored within said 
portable processor; 

producing from said data stream a packet of information 65 
unique to both said computing system and said authen- 
tic one of said p<»table processors; and 



transmitting said produced data stream packet of infor- 
mation to a database external to both said computing 
system and said authentic one of said portable proces- 
sors for storage of at bast a portion of said produced 
data stream in said external database, said stored por- 
tion of said produced data stream being utilized to 
establish said authentic one of said portable processors 
as a valid processor for the subsequent generation of 
graphical security indicia. 

2. The method set forth in daim 1 wherein said r^uming 
step includes the step of encrypting said data stream. 

3. The method set forth in claim 2 further including the 
steps of: 

comparing data stcH^ unalterably in said connected one 
of said portable processors with data provided by a user 
of said confuting system, said unalterable data includ- 
ing a unique identification number obtained as a part of 
said returned data stream; and 

determining in part from said compared data that said 
transmitting stq) has been successfully concluded with 
respect to said connected portable memory thereby 
verifying that said connected portable processor is a 
valid portable processor for use with this particular 
conqxiting system. 

4. The method set forth in claim 3 furtiier comprising the 
step of: 

thereafter interchanging data between a usa operating 
said computing system and said verified one of said 
portable memories to create a data stream correspond- 
ing to a graphical security indicia having embedded 
therein a specific monetary value. 

5. The method set forth in claim 4 further including the 
step of encrypting said data interchange. 

6. Hie method set forth in claim 3 further comprising the 
step of: 

cornparing a password supplied under control of said user 
and a password stored in said producing one of said 
mcnwiy devices, said password distinct from said 
unique identification number. 

7. The method set forth in claim 6 wherein said data 
comparing step further includes the step of: 

checking a data clock within said producing one of said 
memory devices to insure that a prccstablished expi- 
ration date has not passed. 

8. Hie method set forth in daim 7 wherein said data 
checking step indudes the step of: 

establishing said expiration date a certain fixed period of 
tune after a specified type of interaction has occurred 
between said |Hoducing one of said memory devices 
and said user. 

9. The method set forth in claim 4 further including the 
step of: 

verifying the authentidty of produced ones of said gnq)hi- 
cal security indida by comparing data contained in said 
graphical security indida to data stored in said database 
with respect to said producing one of said portable 
processors. 

10. A method of establishing certain ones of a plurality of 
portable processors as valid processors for the subsequent 
control of the formulation of graphical security indida, said 
method including the steps of: 

temptararily connecting one of a pool of said portable 
processors to a computing system having Its own 
processor sq^arate frt}m said connected portable pro- 
cessor; 

sending a data stream from said computing system to said 
connected portable processor, said data stream intcr- 
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actiiig with data previously stored unalterably within an 
authentic one of said portable processors to produce 
data according to a protocol iotemal to authentic ones 
of said portable processors; 
sending to said counting system from authentic ones of 
said portable processors under control of said fvotocol 
said data as an encrypted data streanL said encrypted 
data stream containing data portions for interaction 
with data portions stored within said computing sys- 
tem; 

exchanging identification information stored in said com- 
puting system and said portable processor* wherein said 
identification information stored in said portable pro- 
cessor includes at least a portion oi said unalterably 
stored data: and 

generating, under control of said conqniting system and 
said sent encrypted data stream and in response to a 
determination that said identification information 
stored in both said computing system and said portable 
processor is valid, a data stream for fcrmiilating a 
gr^)hical security indicia, said gr£^hical security indi- 
cia axlapted to be visibly observable at a location 
remote from said computing system and said portable 
processor. 

11. The method set forth in claim 10 further including the 
steps of: 

observing a produced graphical security indicia at a 
location remote from said computing system; and 

con^aring observed ones of said security indicia against 
data stored tQ a database to determine the authenticity 
of said observed security indicia. 

12. The method set forth in claim 11 wherein said 
comparing step includes the step of comparing data con- 
tained within said observed security indicia with data rep- 
resenting the particular one of said portable processors 
which produced the encrypted data which controlled the 
formation of said security indicia. 

13. A system fot establishing certain ones of a plurality of 
portable jH-ocessors as valid processors for controlling the 40 
subsequent formulation of graphical security indicia, said 
system comprisingr 

a temporary connection of one of a pool of the portable 
processors to a computing system having its own 
processor separate from said cotmected portable pro- 
cessor; 

means for receiving in a connected one of said portable 
processors a data stream sent from said connected 
computing system, said data stream operable for inter- 
acting with data previously sta-ed unalterably within an 
authentic one of said portable processors to produce 
data according to a protocol internal to authentic ones 
of said portable processors; 

means controlled in part by said protocol for sending to 
said connected computing system from authentic ones 
of said portable processors said data as an encrypted 
data stream, said encrypted data stream containing data 
portions for interaction with data portions stored within 
said computing system; 

means for communicating identification information 
stored in said confuting system and said portable 
processor there between, wherein said identification 
information stored in said portable processor includes 
at least a portion of said unalterably stored data; and 

means for generating, under control of said computing 
system and said sent encrypted data stream and in 
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response to a determination that said identification 
information stored in both said cromputing system and 
said portable processcH- is valid, a data stream for 
formulating a graphical security indicia, said gr^hical 
security indicia ad^>ted to be visibly observable at a 
l(x:ation remote from said confuting system and said 
p<»table processor. 

14. The system set forth in claim 13 further including: 
means for observing a produced graphical security indicia 

at a location remote from said confuting system; and 
means for comparing observed ones of said security 
indicia against data stored in a data base to dctciminc 
the authenticity of said observed security indicia. 

15. The system set forth in claim 14 wherein said last- 
mentioned means includes means for comparing data con- 
tained within said observed security indicia with data rq>- 
resenting the particular one of said portable processors 
which product the encrypted data which controlled the 
formation of said security indicia. 

16. The system set forth in claim 13 wherein said portable 
prcx:essoff further includes means for obtaining at least 
partial power from a parasitic charge through the housing of 
said portable processor. 

17. A system of establishing certain ones of a plurality of 
portable processors as valid processors for the subsequent 
generation of graphical security indicia, said system com- 
prising: 

means fc^ temporarily connecting one of a pool of said 
portable processors to a counting system having its 
own processor separate from said connected potable 
processor; 

means for sending a data stream from said computing 
system to said connected portable processor, said data 
stream interacting witfi data i^eviously stored unalter- 
ably within an authentic one of said portable processors 
to produce a protocol internal to authentic ones of said 
portable processors; 

means for returning from authentic ones of said portable 
processors under control of said produced protocol a 
data stream including a copy of at least a porticm of said 
data unaltCTably stored within said portable processor; 

means for producing from said data stream a packet of 
information unique to both said computing system and 
said authentic one of said portable processors; and 

means for transmitting said produced data stream packet 
of information to a database external to both said 
computing system and said authentic one of said por- 
table processors for storage of at least a portion of said 
produced data stream in said external database, said 
stored portion of said produced data stream being 
utilized to establish said autiientic one of said portable 
processors as a valid f^ocessor for the subsequent 
generation of graphical security indicia. 

18. The system set foith in claim 17 further including: 
means for comparing data stored unalterably in said 

connected one of said portable processes with data 
provided by a user of said computing system, said 
unalterable data including a unique identification num- 
ber obtained as a part of said returned data stream; and 
means for determining in part from said con^arcd data 
that said transmitting step has been successfully con- 
cluded with respect to said connected portable memory 
thereby verifying said connected p<»table processor is 
a valid portable processor for use with this particular 
computing system. 
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19. The system set forth in claim 18 further indudlng: 
mcaos operable under cootrd of said determining means 
for thereafter interchanging data between a user oper- 
ating said confuting system and said validated one of 
said portable memories to create a data stream corre- 
sponding to a grai^cal security indicia having embeds 
dcd tfierein a specific monetary value. 
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20. The system set forth in daim 19 liiither inchiding: 
means for verifying the authenticity of produced ones of 
said graphical security indicia by conqiaring data con- 
tained in said graphical security indicia to data stored in 
said data base uath respect to said producing one of said 
portable processcas. 
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